|
|
|
|
|
|
by henvic
1944 days ago
|
|
|
The main issue here is that in the JavaScript ecosystem there is this trend of using external dependencies for everything, regardless of size (i.e., leftpad), and trusting forward versions blindly. Security in npm / JS / node_modules ecosystem is quite reactive, instead of active. If there is a bad actor that releases a widely using dependency, for sure it's going to be gone from npm quite fast most of the time! However, it'll take some time for it to get noticed, and people will invariably get affected. You shouldn't bring an open honeypot to a place where bears can attack you easily, right? |
|
|
And most of them also execute external code on module importation... what I'm not sure if it's even relevant, because you will run the module at some point anyway.
So, yeah, JS makes the problem one or two orders of magnitude larger. But the problem is still there, whether you use npm or avoid it.